Network Security Services
Do you have concerns about network security? If you do, you are not alone. Malware has become more sophisticated, and the development of targeted malware is big business. If you have financial and other corporate data that you want to keep private, there are steps you can take at the network level to help you do that.
Network Security Planning
The process begins with a network security plan, and the development of a network design that supports your goals. For example, if you are working to achieve PCI compliance, you may need to establish multiple security zones. The prudent use of VLANs, layer-three switches, and firewalls on your network is key to creating these zones.
A few of the many other factors to consider in your network security planning are:
- Network Perimeter Design
- Firewall features and configuration
- Virtual Private Network (VPN) Design
- Bring Your Own Device (BYOD) policy and management
- Email filtering
- Web filtering
- Application visiblity and deep packet inspection
- Intrusion detection
- Cloud-based "reputation" services
- Firewall integration with Active Directory
- Firewall logging and reporting
- Wireless security and access control
Each one of these things is a topic by itself. For example, deep packet inspection and cloud-based reputation services can tell you if targeted malware has already struck your network. For example, a cloud-based information service can provide a list of URLs for known Botnet "command and control" centers. The firewall appliance then uses this information to identify compromised workstations on your network when they "phone home" to a command and control center.
Network Security with Cisco Firepower
Cisco's new CEO has made network security a top priority for the company, and it shows. In the last three years, there have been a slew of new security-related products brought to market. The most important of these from our standpoint is Cisco Firepower Services, which allows us to build network perimeters with far greater security and visibility than we have had in the past. A typical Firepower deployment for most of our customers would include:
- Firepower Management Center (VM or HW appliance)
- Next Generation Firewall
- Optional redundant Firewall
- Threat (IPS) License
- Optional URL (Web filtering) License
- Optional AMP (file scanner) License
The Firepower Management Center (FMC) is the heart of the security system. It is used for firewall configuration, network policy configuration, network incident response, and network incident analysis. It is also responsible for pulling software updates, geolocation updates, IP and URL reputation updates, and IPS signature updates from the Cisco cloud. In addition, it can communicate with your Microsoft Domain controllers to pull userid-to-IP mappings and Active Directory user group information.
Cisco's Next Generation Firewalls include the ASA5500-X series for Internet connections under two gigabit/sec, as well as the FPR2100 series, FPR4100 series, and FPR9000 series for connections two gigabit/sec and above. (Note that the highest-capacity firewalls should be paired with the larger hardware FMC appliances.) All Next Generation Firewalls are managed using the FMC, provided they are running the Cisco Threat Defense software image.
The Cisco Next Generation Firewalls can be licensed with one or more capabilities. All systems will be network application-aware. Most if not all deploymnents will also have the Threat license installed, which provides intrusion protection (formerly IPS) capabilities. The firewall can also be licensed for URL (web) filtering and file attachment scanning (AMP).
Next Steps
Yes, we agree that this is all getting pretty complex. We also know that you may not want to address all these issues at once. Let us work with you to prioritize and build your security inftrastructure. We specialize in building enterprise-class network security perimeters using the Cisco family of ASA5500-X and Next-Generation Firewall security appliances, so we can start there.
When you are ready to look at the next steps to enhance your network security, email us at flg@flgnetworking.com.
Tech Notes
Email: flg@flgnetworking.com